Bug 1194514 - (CVE-2022-21824) VUL-1: CVE-2022-21824: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Prototype pollution via console.table properties
(CVE-2022-21824)
VUL-1: CVE-2022-21824: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Prototype ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319972/
CVSSv3.1:SUSE:CVE-2022-21824:4.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-11 08:02 UTC by Robert Frohl
Modified: 2022-05-17 19:21 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-01-11 08:02:45 UTC
Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Impacts:

    All versions of the 17.x, 16.x, 14.x, and 12.x releases lines.

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Comment 1 OBSbugzilla Bot 2022-01-12 09:50:08 UTC
This is an autogenerated message for OBS integration:
This bug (1194514) was mentioned in
https://build.opensuse.org/request/show/945772 Factory / nodejs16
Comment 4 Swamp Workflow Management 2022-01-18 14:39:24 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-01-18 17:20:12 UTC
SUSE-SU-2022:0114-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.3-6.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-01-18 17:23:05 UTC
SUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.9-4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-01-18 17:25:37 UTC
openSUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
Comment 8 Swamp Workflow Management 2022-01-18 17:29:34 UTC
openSUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
Comment 9 Swamp Workflow Management 2022-01-18 17:31:03 UTC
SUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.3-15.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Adam Majer 2022-02-16 10:32:49 UTC
All codestreams submitted. I don't believe nodejs8 is affected here. Reassigning to security team.
Comment 13 Swamp Workflow Management 2022-02-24 14:21:50 UTC
SUSE-SU-2022:0570-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1191962,1191963,1192153,1192154,1192696,1194514
CVE References: CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.24.1-1.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-04-13 19:26:18 UTC
openSUSE-SU-2022:0112-1: An update that fixes 35 vulnerabilities is now available.

Category: security (important)
Bug References: 1194511,1194512,1194513,1194514,1197680,1198053,1198361
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-1125,CVE-2022-1127,CVE-2022-1128,CVE-2022-1129,CVE-2022-1130,CVE-2022-1131,CVE-2022-1132,CVE-2022-1133,CVE-2022-1134,CVE-2022-1135,CVE-2022-1136,CVE-2022-1137,CVE-2022-1138,CVE-2022-1139,CVE-2022-1141,CVE-2022-1142,CVE-2022-1143,CVE-2022-1144,CVE-2022-1145,CVE-2022-1146,CVE-2022-1232,CVE-2022-1305,CVE-2022-1306,CVE-2022-1307,CVE-2022-1308,CVE-2022-1309,CVE-2022-1310,CVE-2022-1311,CVE-2022-1312,CVE-2022-1313,CVE-2022-1314,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
openSUSE Backports SLE-15-SP3 (src):    chromium-100.0.4896.88-bp153.2.82.1
Comment 15 Swamp Workflow Management 2022-04-17 19:17:46 UTC
openSUSE-SU-2022:0113-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514,1198204
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824,CVE-2022-24191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
openSUSE Backports SLE-15-SP3 (src):    htmldoc-1.9.12-bp153.2.9.1
Comment 17 Swamp Workflow Management 2022-05-17 19:21:51 UTC
SUSE-SU-2022:1717-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1191962,1191963,1192153,1192154,1192696,1194514,1194819,1197283,1198247
CVE References: CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918,CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.44.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.